'Allow AWS Aurora VPC Cluster to be publicly accessible using CDK

I have tried configuring the RDS cluster using cluster.connections.allowDefaultPortFromAnyIpv4(); but still I am not able to connect to my postgres instance, it keeps timing out.

I've been trying to figure this out from 2 days but still no luck, not sure what to do

Here is the full code for CDK config.

import { CdkWorkshopStack } from "../stacks/cdk-workshop-stack";
import * as rds from "@aws-cdk/aws-rds";
import * as ec2 from "@aws-cdk/aws-ec2";
import { ServerlessCluster } from "@aws-cdk/aws-rds";
import { Duration } from "@aws-cdk/core";

export const createDbInstance = (
  scope: CdkWorkshopStack
): { cluster: ServerlessCluster; dbName: string } => {
  // Create the VPC needed for the Aurora Serverless DB cluster
  const vpc = new ec2.Vpc(scope, "AuroraVPC");

  const dbName = "yt_backup";
  // Create the Serverless Aurora DB cluster; set the engine to Postgres
  const cluster = new rds.ServerlessCluster(scope, "yt_backup_cluster", {
    engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
    parameterGroup: rds.ParameterGroup.fromParameterGroupName(
      scope,
      "ParameterGroup",
      "default.aurora-postgresql10"
    ),

    defaultDatabaseName: dbName,
    //@ts-ignore
    vpc: vpc,
    //@ts-ignore
    scaling: { autoPause: Duration.minutes(10) }, // Optional. If not set, then instance will pause after 5 minutes
  });
  cluster.connections.allowDefaultPortFromAnyIpv4();

  return { cluster, dbName };
};
amazon-vpcaws-cdkaws-aurora-serverless


Solution 1:[1]

This opens the security group to all connections:

cluster.connections.allowDefaultPortFromAnyIpv4();

This (see the link for exactly where you would specified this) would give the database server a public IP, allowing connections from outside the VPC:

publiclyAccessible: true,

However, you are creating a Serverless cluster, which does not support the publicly accessible feature at this time.

Solution 2:[2]

Like Mark B mentions a Serverless Aurora DB is not publicly accessible. Having a database publicly accessible is a bad idea from a security point of view in my opinion. (and definitely not open to 0.0.0.0/0)

An application inside your VPC should connect to the database and if you need to access the database you can use a BastionHostLinux , ssh tunnel or Direct Connect.

You can switch is an "non serverless" database if you really need to as this is publicly accessible if it's on a public subnet and there is an internet gateway for the VPC.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Mark B
Solution 2 rjdkolb

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function